Britain takes digital ID out of beta as U.S. lags

The United Kingdom will go live with its governmentwide digital identity platform, GOV.UK Verify, in the coming days. The U.S. government will need a little more time.

British citizens can access tax, pension and drivers licensing information through a single, secure login called GOV.UK Verify. The system is set to exit a public beta and go live the week of May 23.

Under GOV.UK Verify, the U.K. Post Office, the recently privatized Royal Mail, and a host private companies -- including credit bureau Experian, mobile provider Verizon and the bank Barclays -- act as brokers to leverage existing secure credentials for use in governmental transactions.

The shared service credential model is expected to expand across departments in the U.K. to offer citizen access to the full range of government functions.

By contrast, U.S. efforts to provide citizens with a single credential to access government services can be charitably describe as lagging.

The IRS has on its own tried to offer taxpayers access to their prior-year returns using knowledge-based security protocols, resulting in breaches numbering in the hundreds of thousands. The tax agency is going to reboot the Get Transcript tool soon, with tighter security features. Other agencies have their own use-specific logins, but nothing like the overarching access offered by UK.GOV Verify.

It's not for lack of trying.

Until recently, the National Strategy for Trusted Identities in Cyberspace was the main locus of activity on this front. The effort, housed at the National Institute of Standards and Technology, gives grants to private companies and non-profits to run pilots in the establishment of federated identities along the lines of what GOV.UK Verify have achieved, using a mix of commercial and official credentials to confirm individual identities.

Jeremy Grant, who used to head NSTIC, told FCW that the U.K. has the advantage when comes to authority, resources and discipline. The U.K., Grant said, corralled all the efforts into its shared service model, and shut down duplicative programs.

"In the U.S., while the White House indicated that all agencies should use the shared service, there have not been any real consequences for agencies that go their own way," Grant said. "So U.S. efforts depended more on a 'coalition of the willing' when it comes to agencies adopting this approach. And that makes things go slower."

The UK.GOV Verify was also better funded, with five times the spending for a government serving a population one-fifth the size of the U.S.

"This let the [U.K.'s Government Digital Service] team build a very competent, sophisticated, robust operation and solution, and ensured that agencies there weren't scrambling for budget to pay for Verify," Grant said. "In the U.S., a pass the hat approach was taken to fund things, there was no dedicated funding. That set up a very different dynamic." 

The closest thing in the U.S. to UK.GOV Verify is Connect.gov -- imagined as a single log-in to access the range of government services. It was launched as an NSTIC project, and designed as a cloud-based shared service that agencies could sign up to use, essentially as their front door. The Post Office was tapped as a partner in identity proofing, and as a likely hub of any in-person verification activity that had to take place. But the effort, like the British work, was to tap commercial partners.

The project was also seen as the means to accomplish the goals of a 2014 Obama administration executive order that required that "all agencies making personal data accessible to citizens through digital applications require the use of multiple factors of authentication and an effective identity proofing process, as appropriate."

The target date for completion set forth in the order was April 17, 2016.

The project seemed to gather steam when the General Services Administration took over the project from NSTIC and issued an RFI to vendors in mid-April 2015, seeking information on a federated digital identity ecosystem.   

According to contracting documents, the Department of Veterans Affairs was planning on consolidating its identity-proofing applications to incorporating the Connect.gov ID. The firm SecureKey had a contract to provide broker hub service, while Verizon and ID.me were providing credentialing services. But the RFI never blossomed into a request for proposals.

The newly enfranchised 18F organization at GSA announced in a May 10 blog post that it had taken the lead, "to tackle the inconsistent, difficult experience that the public has logging in and proving their identity when interacting with the government online."

In the post, 18F said they are taking cues from the lessons learned in the design of GOV.UK Verify.

"This system is designed to be your one account for government…The end goal is a drastic reduction in both the time it takes to accomplish certain tasks and a significant reduction in the amount of paperwork or forms that need to be submitted," according to the blog post.

While 18F says it will build on the foundations of the Connect.gov effort, it appears that the Connect.gov brand will be retired. It's not clear what will become of all the work that private companies put into trying to participate in a federated credentialing ecosystem.

An 18F spokesperson referred an FCW reporter to the blog post for information on this topic, and did not otherwise elaborate.

Grant, who is now a managing director at the Chertoff Group, told FCW that he's hearing from firms that are feeling out of the loop after having "gone through the exhaustive and expensive process GSA established for getting their solutions accredited for government use."  

"The private sector partners are asking whether they are still partners, whether there is still a place for them in this government identity ecosystem," Grant said. "In the UK, they know where they stand; in the U.S., not so much now."

NSTIC and NIST are still in the game. NIST recently posted a pre-draft preview of its updated digital authentication guidelines to GitHub for comment.

"There are many updates to this document that make room for federal agencies to adopt market innovations, leverage the solutions individuals already have, and establish increased global alignment of identity practices," acting NSTIC director Michael Garcia told FCW.  

"Agencies are making great strides, and our pilots have demonstrated secure and interoperable solutions that enhance privacy for individuals while reducing cost for providers, all while improving the digital experience," Garcia said. "We're heartened to see these private sector solutions deployed throughout the marketplace, including across government, and look forward to even more adoption over time." NSTIC continues to coordinate with the U.K. digital service and hopes to build off their work.

But as to a go-live date for a governmentwide digital log-in, that will likely have to wait for the next administration.

While allowing that GSA has its reasons for its new approach, Grant said that the pivot "equates to a conscious decision to push back delivery of a real solution agencies can use to start offering more high value, citizen-facing digital applications."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.